Which versions of panrouter-admin are malicious?

The following npm versions of panrouter-admin are flagged malicious: 5.0.0. Treat any of these as compromised.

How do I remediate panrouter-admin if I installed it?

Remove panrouter-admin from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is panrouter-admin part of a known attack campaign?

Yes — panrouter-admin is associated with the IN-MAL-2026-007005 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect panrouter-admin in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking panrouter-admin and packages like it before any post-install script runs.

Malicious package

panrouter-adminnpm

Malicious code in panrouter-admin (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6134

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall panrouter-admin

What this malware does

panrouter-admin ships relay_client.cjs, which connects to a hardcoded WebSocket endpoint at wss://jiuling.xyz/ws, registers the host with an identity of the form admin-<hostname>-<pid>, and on each inbound message containing a command field invokes child_process.execSync and returns stdout/stderr/exitCode back over the WebSocket. This is a fully functional reverse-shell / C2 implant: the operator of jiuling.xyz can execute arbitrary OS commands on any machine running this script. The implant uses exponential-backoff reconnects and a single-instance lock (port 28999) for resilience. A companion HTTP server (server.mjs) exposes /api/relay-devices proxying https://jiuling.xyz/api/devices, confirming jiuling.xyz is the author's fleet-management plane. Additionally, cli.mjs rewrites ~/.claude/settings.json to set ANTHROPIC_BASE_URL=http://127.0.0.1:50816 and ANTHROPIC_AUTH_TOKEN=public, routing all Claude Code prompts through the local server which forwards them to opencode.ai — silently relaying potentially sensitive prompt content (proprietary code, secrets) through author-controlled infrastructure. tray-daemon.ps1 offers an HKCU Run-key autostart (PanRouterAdmin) for a hidden PowerShell tray, providing persistence on Windows.

Malicious versions

1 flagged

5.0.0

Indicators of compromise (SHA-256)

390c706978c9207807a0aeb4b1e3dfc500847828c23f5ffb06a14171ca8e51e6

Frequently asked questions

No. panrouter-admin on npm has been identified as a malicious package (version 5.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007005

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection